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ABSTRACT 

Tardos codes are currently the state-of-the-art in the de- 
sign of practical collusion-resistant fingerprinting codes. Tar- 
dos codes rely on a secret vector drawn from a publicly known 
probability distribution in order to generate each Buyer's fin- 
gerprint. For security purposes, this secret vector must not be 
revealed to the Buyers. To prevent an untrustworthy Provider 
forging a copy of a Work with an innocent Buyer's finger- 
print, previous asymmetric fingerprinting algorithms enforce 
the idea of the Buyers generating their own fingerprint. Ap- 
plying this concept to Tardos codes is challenging since the 
fingerprint must be based on this vector secret. 

This paper provides the first solution for an asymmetric 
fingerprinting protocol dedicated to Tardos codes. The moti- 
vations come from a new attack, in which an untrustworthy 
Provider by modifying his secret vector frames an innocent 
Buyer. 

Index Terms — Asymmetric fingerprinting, Tardos code 

1. INTRODUCTION 

This paper considers a problem arising in the fingerprinting of 
digital content. In this context, a fingerprint is a binary code 
that is inserted into the Work for the purpose of protecting it 
from unauthorized use, or, more precisely, for the purpose of 
identifying individuals responsible for unauthorized use of a 
Work. In such a scenario, it is assumed that two or more users 
may collude in order to try to hide their identities. In this 
case, it is further assumed that colluders cannot alter those 
bits of the code that are identical for all colluders. However, 
where bits differ across colluders, these bits may be assigned 
arbitrary values. A key problem is resistance to collusion, i.e. 
if a coalition of c users creates a pirated copy of the Work, its 
tampered fingerprint (i) should not implicate innocent users, 
and (ii) should identify at least one of the colluders. 

This problem has received considerable attention since 
Boneh and Shaw HI discussed the problem. They first in- 
troduced the concept of totally c-secure codes: if a coalition 
of c users colludes to produce a pirate copy of the Work, 
the tampered fingerprint is still guaranteed to identify at least 
one of the colluders, with no chance of framing an innocent. 



Boneh and Shaw showed that totally c-secure binary codes 
do not exist for c > 1. They then introduced the concept 
of a c-secure code such that the probability of framing an 
innocent is lower than e. Unfortunately, the length of their 
codes, 0(c 4 log(^) log(i)), where n is the number of users, 
was such as to make them impractical. Following Boneh and 
Shaw's paper, there has been considerable effort to design 
shorter codes. 

In 2003, Tardos jl2'| proposed an efficient code construc- 
tion that, for the first time, reduced the code length to the 
lower bound, 0(c 2 log(^)), thereby making such codes 
practical. Tardos codes are currently the state-of-the-art for 
collusion-resistant fingerprinting. 

Several papers have considered a scenario where the 
Provider is untrustworthy. Thanks to the knowledge of a 
Buyer's fingerprint, the Provider creates a pirated copy of 
a Work, implicating this innocent Buyer. To prevent this, 
Pfitzman J5] first introduced the concept of asymmetric fin- 
gerprinting in which the Provider doesn't need to know the 
Buyer's fingerprint. The Buyer first commits to a secret (the 
fingerprint) that only he/she knows. The Buyer and Provider 
then follow a protocol which results in the Buyer receiving 
a copy of the Work with his/her secret fingerprint (and some 
additional information coming from the Provider) embedded 
within it. The Provider did not learn the Buyer's secret, and 
cannot therefore create a forgery. Unfortunately, in the case 
of Tardos codes, fingerprints must be drawn from a particular 
probability distribution depending on a secret vector only 
known to the Provider. Thus, previous asymmetric finger- 
printing methods cannot be applied to Tardos codes. 

The Tardos decoding is also vulnerable to an additional 
attack, in which the Provider does not need to create a forgery. 
Rather, given any unauthorized copy, i.e. a Work that does 
not contain the innocent Buyer's fingerprint, the Provider can 
alter its secret vector in order to accuse an arbitrary Buyer. 

Our paper is organized as follows. We briefly introduce 
Tardos codes in Sec. [2] Sec. [3] describes the attack at the 
decoding side. In order to prevent both the Buyer and the 
Provider from cheating, Sec. [4] presents a new asymmetric 
protocol specific to Tardos codes. Sec.|5]then discusses practi- 
cal aspects of the fingerprints embedding and accusation. We 



finally discuss our solution in Sec.[6]before concluding. 

2. THE TARDOS FINGERPRINTING CODE 

For readers unfamiliar with Tardos codes, we now provide a 
brief introduction. Further details can be found in @J. 

Let n denote the number of buyers, and m the length of 
the code. The fingerprints can then be arranged as a binary 
nxm matrix X, Buyer j being related to the binary fingeprint 
Xj = (Xji , Xj2, . . . , Xj m ). 

To generate this matrix, m real numbers pi 6 [t, 1 — t] 
are generated, each of them being randomly and indepen- 
dently drawn according to the probability density function 
/ : [t, 1 - t] ->• R+ with f(z) = n{t){z{l - z))" 1/2 and 
n(t)- 1 = ft~\z{l - z))~ 1 / 2 dz. The parameter t <C 1 is 
referred to as the cutoff. We set p = (pi, . . . ,p m ). This vec- 
tor p is the secret key of the code only known by the Provider. 
Each element of the matrix X is then independently randomly 
drawn, such that the probability that an element, Xji, in the 
matrix is a one is given by P(X,.; = 1) = pi. The fingerprint 
is then embedded into the copy of the Work of the correspond- 
ing Buyer thanks to a watermarking technique. 

If an unauthorized copy is found, its corresponding finger- 
print, Y, is decoded. Due to collusion, and possible distor- 
tions such as transcoding, the decoded fingerprint is unlikely 
to exactly equal one of the fingerprints in the matrix, X. To 
determine if Buyer j is involved in the production of the unau- 
thorized copy, a score, referred to as an accusation score, Sj 
is computed. If this score is greater than a given threshold Z, 
then Buyer j is considered to have colluded. 

The scores are computed according to an accusation func- 
tion g, reflecting the impact of the correlation between the 
sequence X 3 , associated with Buyer j, and the decoded se- 
quence Y: 

m 

Sj = G(Y,X j)P ) =^2g(Y i ,X ji , Pi ). (1) 
i=i 

In the usual symmetric codes [4|, function g is constrained 
(such that, for example, for an innocent, the expectation of 
the score is zero and its variance is m), giving g(l,l,p) = 

5 (0, 0, 1 -p) = -g(0, l,p) = 0, 1 - p) = j^z. 

3. UNTRUSTWORTHY CONTENT PROVIDER 

We now consider the case where the Provider is no longer 
trusted, and, as such, wishes to frame Buyer j. In such a sce- 
nario, we assume that the Provider has no prior access to an 
unauthorized copy, i.e. the Provider cannot insert a false fin- 
gerprint into the unauthorized copy, nor can he/she place a 
Buyer's copy on an unauthorized location. On receipt of an 
unauthorized copy, we further assume that the untrustworthy 
Provider to extracts the corresponding fingerprint present in 



the unauthorized copy. We base this assumption on the hy- 
pothesis that the underlying watermarking algorithm comes 
from a technology provider and that the Provider doesn't mas- 
ter or has no access to this technology brick. Given the ex- 
tracted fingerprint Y, the Provider must now compare it to all 
known Buyers' fingerprints. This comparison is performed 
using Eq. (|T). And it is here that the Provider can lie, since 
the probabilities, p, are only known to the Provider. 

An untrustworthy Provider can create a fake vector of 
probabilities, p, that implicates Buyer j. However, the dis- 
tribution, f(p), is publicly known, so the question becomes, 
can the Provider generate a p that (i) implicates Buyer j, and 
(ii) has an arbitrarily high probability of been drawn from the 
distribution f(p)l 

It is indeed extremely simple to do so. Let us focus on 
a column where pi = p and Yi = Xj^, The true summand 
in Eq. (Q~|i is g(l, l,p) or 5(0, 0,p) (with equal probability). 
Suppose that the content provider replaces the secret value p 
by a fake secret p which is drawn independently according to 
/. On average, this summand takes the new value: 

A( t )= r W (M '" )+g(Q '°'^-ln— • 

Jt 2 7T £ 

For a cutoff t = 1 /900 (recommended by G. Tardos to fight 
against 3 colluders), the numerical value is surprisingly high: 
A(l/900) w 2.16. Suppose now that the content provider 
applies the same strategy on an index i where Yi ^ Xj t i. 
Then the expectation is the opposite. However, in a Tardos 
code, even for an innocent Buyer j, the proportion a of in- 
dices where symbols Yi and Xjj agree is above 1/2 for most 
of the collusion strategy. For instance, with an interleaving 
collusion attack, a = 3/4 whatever the collusion size c. 

Based on this knowledge, we propose the following at- 
tack. The Provider computes the score for all Buyers, which, 
on average, equals for innocent Buyers and 2m Jen for the 
colluders JH. The provider initializes p = p. Then, he/she 
randomly selects a column i and randomly draws a fake secret 
Pi ~ /. He/She re-computes the score of Buyer j with this 
fake secret and iterates selecting a different column until Sj 
is above the threshold Z. On average, m(cTrA(a — 1/2)) -1 
secret values pi need to be changed in this way, e.g. only 
20% of the code length if the copy has been made using an 
interleaving attack. 

Fig. Q] illustrates this attack for the case where the code 
length is m = 1000 and the number of colluders is c = 3. 
The solid coloured lines depict the accusation scores of 10 
randomly selected innocent buyers. We observe that after be- 
tween 20-30% of the elements of p have been altered, the 
accusation scores of the innocent Buyers exceed the origi- 
nal scores of the colluders. In fact, the colluders accusation 
scores also increase. However, we are not concerned with the 
highest score, but rather with any score exceeding the thresh- 
old. Thus, it is sufficient to raise the score of the innocent 
Buyer, even if this raises all other Buyers' scores as well. 
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Fig. 1. Accusation score as a function of the number of 
changed elements of the vector p for the case where m = 
1000 and c = 3. The solid coloured lines show how the ac- 
cusation score of 10 randomly selected innocent buyers in- 
creases as more of the elements are modified. The dotted hor- 
izontal lines show the original scores for the colluders before 
the modification. 



Randomly selecting some p^'s (independently from X 3 
and Y) and re-drawing them according to the same law en- 
sures that pi ~ /, Therefore, a judge observing p cannot 
distinguish the forgery. For this reason, the judge might re- 
quest to see the matrix X to statistically test whether the ele- 
ments of X are drawn from the distribution p. In this case, the 
Provider can give a fake matrix X where the columns whose 
Pi have been modified are re-drawn such that P(Xki = 1) = 
Pi, Vfc 7^ j. The only way to prevent this deception would 
be if the judge asked an innocent User k ^ j for his copy in 
order to verify the authenticity of X. This latter step seems 
somewhat odd. 



4. AN ASYMMETRIC TARDOS CODE 
CONSTRUCTION 

In previous asymmetric fingerprinting schemes, it is up to the 
Buyer to generate his or her fingerprint. The Buyer then sends 
a commitment to the Provider, which prevents the Buyer from 
changing the fingerprint during the protocol. Unfortunately, 
this cannot be done with a Tardos code since the fingerprint 
must follow a given statistical distribution controlled by p, 
and p is only known to the Provider. This section proposes 
a solution to this problem, which consists of two phases. We 
first review its main building blocks. 



4.1. Building blocks 

There are two key building blocks to the proposed protocol. 
The first is a block involving encryption primitives, while the 
second involves double-blind random selection. 

4.1.1. Encryption Primitives 

We need two cryptographic primitives: a regular symmetric 
cryptosystem E (e.g. AES) and a commutative encryption 
scheme CE (e.g. in |5, 6]). This latter primitive has the fol- 
lowing property. For every key k\ and k2, and for every mes- 
sage m, ciphering twice with fci and then &2, or fc 2 and then 
ki leads to the same result: 

CE(fei,CE(fc 2 ,m)) = CE(/c 2 ,CE(fc l7 m)). (2) 

4.1.2. Pick a card, any card! 

Here we introduce a double-blind random selection protocol 
between two entities A and B, based on 0. Let {Ok}k = i be 
a list of N objects offered by entity A. We now explain how 
entity B selects an item from this list without actually seeing 
the list and entity A does not know which item entity B picked. 

Entity A chooses N secret keys for the E cryptosys- 
tem called {Kk}^ =1 and computes the cipher texts Ck — 
1Z(Kk,Ok). Entity A also chooses a secret key S for the 
CE cryptosystem and encrypts the previous keys such that 
D k = CE{S,K k ). He sends B the lists C = {C k }^ =1 and 
V = {Dk}^ =1 . Entity B chooses an index k € [N] (with the 
notation [N] = {1, . . . , N}), a secret key R for the CE cryp- 
tosystem, and sends A the cipher Uk = CE(R, Dk). Entity 
A decrypts U with his key S and sends B the result. Thanks 
to the commutative property, this message indeed equals 
CE(i?, Kk), which B is able to decrypt thanks to his/her key 
R. The result is the key Kk which deciphers Ck onto the 
object Ok- 

4.2. Phase 1: Generation of the fingerprint 

We use the above protocol m times to generate the fingerprint 
of the j-th Buyer Xj = (Xj i, . . . , Xj >m ). In this generation 
phase, A is the Provider, and B is Buyer j. The Provider gener- 
ates a secret vector p for a Tardos code. Each pi is quantized 
such that j3j = LJN with L t <G [N - 1]. 

For a given index i, the objects are the concatenation of a 
binary symbol and a text string. There are only two versions 
of an object in list Ci. For Li objects, Ok.i = (l||ref i^), and 
Ok.i = (0||ref o,i) for the N — Li remaining ones. The use 
of the text strings {ref x,i} depends on the content distribu- 
tion mode as detailed in Sec. 15. II The object Ok,i is encrypted 
with key K k ,i and stored in the list C; = {Ck.i)k=i- There are 
thus as many different lists Ci as the length m of the finger- 
print. These lists are published in a public Write Once Read 
Many (WORM) directory |7j whose access is granted to all 
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Fig. 2. Generation of a fingerprint bit. 



users. As explicitly stated in its name, nobody can modify or 
erase what has been put the first time in a WORM directory; 
beside, anybody can check its integrity. 

On the contrary, the 2?-lists are made specific to a given 
Buyer j. The provider picks a secret key Sj and a permutation 
TTj(.) over [N]. This Buyer is proposed a list Ujj of N items 
as /), ,./, = CE(Sj, (7Tj(fc)||if w .(fc) j j)). Therefore, the lists d 
are common for all users, whereas the lists T>j t are specific to 
Buyer j. We have introduced here a slight change wrt to pro- 
tocol 14.1.21 i.e. the permutation ttj whose role is explained 
below. Buyer j chooses a secret Rj i and one object in the 
list, say the k(j, i)-th object. He/she sends the corresponding 
ciphertext U k (j.i),i = CE(Rjj, Dj^ k u ^) decrypted by the 
provider with Sj and sent back to the Buyer who, at the end, 
gets the index ind(j, i) = TTj(k(j,i)) and the key -K"i n d(j,i),i> 
which grants him/her the access to the object Oi n d(j,i),i> store 
encrypted in the WORM. It contains the symbol &; n d(j,i),i- 
This will be the value of the i-th bit of his/her fingerprint, 



d(i,j) 



which equals ' 1 ' with probability pi 



The provider keeps in a log file the values of Sj and 
Ukij,i),i, the user keeps Rj i in his/her records. 

4.3. Phase 2: Disclosure of the halfword 

For a more practical accusation process (see Sec. I5.21 i. the 
Provider will order Buyer j to reveal m/j < m bits of his fin- 
gerprint (phase 1 has been completed). This is done in order 
to build the so-called halfword allowing the Provider to 
list a bunch of suspected users to be forwarded to the judge 
(See Sec. I5.21 >. The following facts must be enforced: Buyer 
j doesn't know which bits of his/her fingerprint are disclosed, 
and the Provider asks for the same bit indices to all the users. 

Again, we propose to use the double-blind random se- 
lection protocol of Sec. 14.1.21 Now, Buyer j plays the role 
of A, and the Provider the role of B, N = m, and object 
Oi = (Rij Haleajj). These items are the m secret keys se- 
lected by Buyer j during Sec. [4j2] concatenated with random 
strings alea^ to be created by Buyer j. This alea finds its 
use during the personalization of the content (see Sec. I5.lt . 
Following the protocol, the Provider selects rrih such object. 
The decryption of message Uui,j),j received during the con- 
struction phase of Sec. l4.2l thanks to the disclosure of the key 



Rij yields Dijuij) which in turn decrypted with key Sj 
provides the index of the selected object, otherwise the proto- 
col stops. This prevents a colluder from denying the symbol 
of his fingerprint and from copying the symbol of an accom- 
plice. At the end, the Provider learns which item was picked 
by Buyer j at index i. Therefore, he/she ends up with rrih 
couples (Xj t i, aleafcjvjw) associated to a given Buyer j. 

Thanks to this second part of our protocol, the Provider 
discloses mh bits of the fingerprints without revealing any 
knowledge about the others, and Buyer j doesn't know which 
bits of his fingerprint were disclosed even if the Provider al- 
ways chooses the same indices from a user to another. Of 
course, Buyer j refuses to follow this part of the protocol for 
more than rrih objects. 



5. OTHER IMPLEMENTATION DETAILS 

At this point, we have both introduced a new attack and a new 
asymmetric fingerprinting algorithm that are both specific to 
Tardos codes. The astute reader will be aware the our asym- 
metric fingerprinting protocol does not constitute a complete 
system. Here we briefly touch up on other implementation 



5.1. Watermarking 

First, we need an algorithm so that the Provider sends the 
Buyer a copy of the Work with his/her fingerprint embedded, 
given the Provider does not know this fingerprint. There ex- 
ist buyer-seller protocols for embedding a sequence Xj into 
a content c without disclosing Xj to the seller and c to the 
buyer. They are based on homomorphic encryption scheme 
and work with some specific implementations of spread spec- 
trum J8) or Quantization Index Modulation watermarking J9)- 
The reader is directed to 0[9] for further details. These meth- 
ods can be adapted to embed the Tardos codes, but due to 
space limitations, a brief sketch of the adaptation of [|9) is 
presented hereafter. 

We adapt the secure embedding proposed in the last cited 
work as follows. Let c' ' = (c|° 1 ', . . . , c\°q) be the Q quan- 
tized components (like pixels, DCT coefficients, portion of 



streams etc) of the i-th content block watermarked with sym- 
bol '0' (resp. with symbol '1'). Denote d { = c - 1 ' — cj . 
Assume as in (9J Sect. 5], an additive homomorphic and 
probabilistic encryption E[] such as the Pallier cryptosystem. 
Buyer j has a pair of public/private keys (pkj , skj ) and sends 
(E pkj [X,-,i], . . . , E pkj [X,- >m ]). The provider sends him/her 
the ciphers 

E pkj [cf}).E pkj [X jti } d ^, V(i,£) e [to] x [Q]. 

Thanks to the homomorphism, Buyer j decrypts this with skj 

into cfl if Xj i = 0, c^ 1 ) if Xji = 1. Since Xji is constant 
for the Q components of the i-th block, a lot of bandwidth 
and computer power will be saved with a composite signal 
representation as detailed in J9] Sect. 3.2.2]. 

A crucial step in these buyer-seller protocols is to prove 
to the seller that what is sent by the Buyer is indeed the en- 
cryption of bits, and moreover bits of the Buyer's fingerprint. 
To do so usually involves complex zero-knowledge subpro- 
tocols HI IU . We believe we can avoid this complexity by 
taking advantage of the fact that the Provider already knows 
some bits of the fingerprint Xj, i.e. those belonging to the 
halfword (see Sect. 14.3b . and the Buyers do not know the in- 
dices of these bits. Therefore, in m v random indices of the 
halfword, the Provider asks the Buyer j to open his/her com- 
mitment. For one such index i v , Buyer j reveals the random 
value ri v of the probabilistic Pallier encryption (with the nota- 
tion of [9]). The Provider computes g X; > h Tiv mod N and 
verifies it equals the i^-th cipher, which Buyer j pretended to 
be E p k- [Xj t i]. 

One drawback of this simple verification scheme is that 
the Buyer discovers m v indices of the halfword. This may 
give rise to more elaborated collusion attacks. For example, 
Buyer j, as a colluder, could try to enforce Yi v ^ Xj^ v when 
attempting to forge a pirated copy. Further discussion of this 
is beyond the scope of this paper. 

This approach may also introduce a threat to the Buyer. 
An untrustworthy Provider can ask to open the commitments 
of non-halfword bits in order to disclose bits he/she is not 
supposed to know. For this reason, the Provider needs to 
send aleaj-j^ j-) ^ as defined in Sec. 14.31 to show Buyer j 
that his/her verification occurs on a halfword bit. 

5.2. The accusation procedure 

When an unauthorized copy is found, the Provider decodes 
the watermark and extracts the sequence Y from the pirated 
content. The Provider computes the halfscores by applying 
Eq. (Q~|) only on the halfwords. This produces a list of suspects, 
e.g. those users whose score is above a threshold, or those 
users with the highest scores. 

Of course, this list cannot be trusted, since the Provider 
may be untrustworthy. The list is therefore sent to a third 
party, referred to as the Judge, who first verifies the com- 
putation of the halfscores. If different values are found, the 



Provider is black-listed. Otherwise, the Judge computes the 
scores of the full fingerprint. 

To do so, the Judge needs the secret p: he/she asks the 
Provider for the keys {Kk,i}, V(/c, i) 6 [N] x [m] and thereby 
obtains from the WORM all the objects {Ok,i}, and there- 
fore the true values of (pi, . . . , p m )- The Judge must also re- 
quest suspected Buyer j for the keys Rj i in order to decrypt 
the messages J/fcy jVj in D^u^ which reveal which object 
Buyer j picked during the i-th round of Sec. 14.21 and whence 
Xj^. Finally, the Judge accuses the user whose score over the 
full length fingerprint is above a given threshold (related to a 
probability of false alarm). 

5.3. Security 

Suppose first that the Provider is honest and denote by c the 
collusion size. A reliable tracing capability on the halfwords 
is needed to avoid false alarms. Therefore, as proven by G. 
Tardos, to/, = 0(c 2 logne^ 1 ), where e is the probability of 
suspecting some innocent Buyers. Moreover, successful col- 
lusions are avoided if there are secret values such that p$ < 
cT 1 or pi > 1 — c _1 (see flTOl ). Therefore, N should be suf- 
ficiently big, around a hundred, to resist against collusion of 
size of the order of ten. During the generation of the finger- 
print in Sec. 14.21 permutation Ttj(.) makes sure that Buyer j 
randomly picks up a bit ' 1 ' with probability p t = Li /N as 
needed in the Tardos code. In particular, a colluder cannot 
benefit from the discoveries made by his accomplices. 

We now analyze why colluders would cheat during the 
watermarking of their version of the Work described in 
Sec. 15.11 By comparing their fingerprints, they see indices 
where they all have the same symbols, be it '0' or '1'. As 
explained in the introduction, they won't be able to alter those 
bits in the tampered fingerprint except if they cheat during the 
watermarking: If their fingerprint bits at index i all equal '1', 
one of them must pretend he/she has a '0' in this position. If 
they succeed to do so for all these positions, they will able to 
forge a pirated copy with a null fingerprint for instance. 

How many times do the colluders need to cheat? With 
probability p\ (resp. (1 — Pi) c ), they all have bit '1' (resp. '0') 
at index i. Thus, there are on average m c (c) = m f. *{p c + 
(1 — p) c ) f (p)dp such indices. The Provider asks for a bit 
verification with probability m v /rrih- The probability of a 
successful attack for a collusion of size c is therefore (1 — 
m v /mf l ) mc< - c \ Our numerical simulations have shown that 
m v shouldn't be more than 50 bits for typical code length and 
collusion size below a hundred. Thus, m v is well below nih- 

Suppose now that the Provider is dishonest. The fact that 
the to lists Ci, Vi <G [m] are public and not modifiable pre- 
vents the Provider from altering them for a specific Buyer in 
order to frame him/her afterwards. Moreover, it will raise 
the Judge's suspicion if the empirical distribution of the pi 
is not close to the pdf /. Yet, biases can be introduced on 
the probabilities for the symbols of the colluders' fingerprint 



only if there is a coalition between them and the untrustwor- 
thy Provider. For instance, the Provider can choose a per- 
mutation such that by selecting the first item (resp. the last 
one) in the list 2?^, an accomplice colluder is sure to pick 
up a symbol '1' (resp. '0')- This ruins the tracing property 
of the code, but this does not allow the Provider to frame an 
innocent. First, it is guaranteed that p used in Eq. [TJ is the 
one which generated the code. Second, the Provider and his 
accomplices colluders must ignore a significant part of the 
fingerprints of innocent Buyers. To this end, m — nih must 
also be in order of 0(c 2 logne" 1 ). If this holds, the Judge 
is able to take a reliable decision while discarding the half- 
word part of the fingerprint. Consequently, m « 2m,h, our 
protocol has doubled the typical code length, which is still in 
0(c 2 log ne _1 ). 

6. DISCUSSION AND SUMMARY 

Tardos codes are currently the state-of-the-art in collusion- 
resistant fingerprinting. However, the previous asymmetric 
fingerprint protocols cannot be applied to this particular con- 
struction. There are mainly two difficulties. First, the Buyer 
has to generate his/her secret fingerprint but according to vec- 
tor p, which is kept secret by the Provider. Second, the vector 
p used in the accusation process must be the same as the one 
which generated the fingerprints. 

We have proposed a new asymmetric fingerprinting pro- 
tocol dedicated to Tardos codes. We believe that this is the 
first such protocol, and that it is practically efficient. 

The construction of the fingerprints and their embedding 
within pieces of Work do not need a trusted third party. 

Note, however, that during the accusation stage, a trusted 
third party is necessary like in any asymmetric fingerprinting 
scheme we are aware of. Further work is needed to determine 
if such a third-party can be eliminated. In particular, we an- 
ticipate that some form of secure multi-party computation can 
be applied. 

Other extensions to this work include (i) non-binary Tar- 
dos codes, and (ii) implementation on compliant consumer 
devices such as Blu-Ray players. We also plan to develop this 
as part of future work. 
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